audit-packages.conf vs. pkg_install.conf for IGNORE_URLS ?

Hi,
I just noticed that vulnerability check message states that
IGNORE_URLS should be set in audit-packages.conf, but shouldn't it be
pkg_install.conf instead ?
njoly@petaure [emulators/qemu]> make
=> Bootstrap dependency digest>=20010302: found digest-20080510
===> Checking for vulnerabilities in qemu-0.9.1
Package qemu-0.9.1 has a information-disclosure vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0928
Package qemu-0.9.1 has a security-bypass vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2004
Package qemu-0.9.1 has a denial-of-service vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2382
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URLS in
audit-packages.conf(5) if this package is absolutely essential.
*** Error code 1
--
Nicolas Joly
Biological Software and Databanks.
Institut Pasteur, Paris.